Bug 36083 - REGRESSION (r55772-r55834): Crash in JavaScriptCore RegExp code on PowerPC
Summary: REGRESSION (r55772-r55834): Crash in JavaScriptCore RegExp code on PowerPC
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh PowerPC OS X 10.5
: P1 Critical
Assignee: Nobody
URL: http://groups.google.com/group/jquery...
Keywords: InRadar, Regression
: 36086 36087 36090 36126 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-03-12 20:52 PST by Kevin M. Dean
Modified: 2010-03-16 16:15 PDT (History)
4 users (show)

See Also:


Attachments
Crashlog (35.16 KB, text/plain)
2010-03-12 20:52 PST, Kevin M. Dean
no flags Details
The patch (2.27 KB, patch)
2010-03-16 15:55 PDT, Gavin Barraclough
oliver: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin M. Dean 2010-03-12 20:52:25 PST
Created attachment 50651 [details]
Crashlog

I've crashed 9 times over the last 2 days on various different sites. The google site listed above is just one of them.

They all show the same crash information. (Full log as attachment).


Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x00609400 __ZL5matchPKtPKhiR9MatchData + 11856
1   com.apple.JavaScriptCore      	0x0060a780 jsRegExpExecute(JSRegExp const*, unsigned short const*, int, int, int*, int) + 1216
2   com.apple.JavaScriptCore      	0x00612e88 JSC::RegExp::match(JSC::UString const&, int, WTF::Vector<int, 32ul>*) + 568
3   com.apple.JavaScriptCore      	0x006254b8 __ZN3JSCL22stringProtoFuncReplaceEPNS_9ExecStateEPNS_8JSObjectENS_7JSValueERKNS_7ArgListE + 3768
4   com.apple.JavaScriptCore      	0x00570770 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*, JSC::JSValue*) + 52624
5   com.apple.JavaScriptCore      	0x00576b94 JSC::Interpreter::execute(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue*) + 1140
6   com.apple.JavaScriptCore      	0x0059153c JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue, JSC::ArgList const&) + 172
7   com.apple.JavaScriptCore      	0x0050f71c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 156
8   com.apple.WebCore             	0x0179b560 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1968
9   com.apple.WebCore             	0x01525390 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 512
10  com.apple.WebCore             	0x014e7008 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 440
11  com.apple.WebCore             	0x014e7e2c WebCore::DOMWindow::dispatchLoadEvent() + 300
12  com.apple.WebCore             	0x01452fdc WebCore::Document::implicitClose() + 716
13  com.apple.WebCore             	0x015578e4 WebCore::FrameLoader::checkCompleted() + 180
14  com.apple.WebCore             	0x01557ac4 WebCore::FrameLoader::completed() + 148
15  com.apple.WebCore             	0x015578f8 WebCore::FrameLoader::checkCompleted() + 200
16  com.apple.WebCore             	0x01b25968 WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) + 408
17  com.apple.WebCore             	0x01d26f9c WebCore::SubresourceLoader::didFinishLoading() + 76
18  com.apple.Foundation          	0x92372814 _NSURLConnectionDidFinishLoading + 120
19  com.apple.CFNetwork           	0x93d0fd8c URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 236
20  com.apple.CFNetwork           	0x93d10a08 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 172
21  com.apple.CFNetwork           	0x93d10cd8 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 892
22  com.apple.CFNetwork           	0x93d0f500 URLConnectionClient::processEvents() + 132
23  com.apple.CFNetwork           	0x93cb9020 MultiplexerSource::perform() + 168
24  com.apple.CoreFoundation      	0x953270d0 CFRunLoopRunSpecific + 1104
25  com.apple.HIToolbox           	0x90d99b14 RunCurrentEventLoopInMode + 264
26  com.apple.HIToolbox           	0x90d99938 ReceiveNextEventCommon + 412
27  com.apple.HIToolbox           	0x90d99778 BlockUntilNextEventMatchingListInMode + 84
28  com.apple.AppKit              	0x9277d244 _DPSNextEvent + 596
29  com.apple.AppKit              	0x9277cbfc -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 112
30  com.apple.Safari              	0x0000dbf4 0x1000 + 52212
31  com.apple.AppKit              	0x9277689c -[NSApplication run] + 744
32  com.apple.AppKit              	0x92747298 NSApplicationMain + 440
33  com.apple.Safari              	0x0000302c 0x1000 + 8236
Comment 1 Mark Rowe (bdash) 2010-03-13 13:08:12 PST
*** Bug 36087 has been marked as a duplicate of this bug. ***
Comment 2 Mark Rowe (bdash) 2010-03-13 13:08:16 PST
*** Bug 36086 has been marked as a duplicate of this bug. ***
Comment 3 Mark Rowe (bdash) 2010-03-13 13:08:52 PST
<rdar://problem/7751468>
Comment 4 Gavin Barraclough 2010-03-13 15:47:42 PST
Nothing obvious in this range, will need to test on PPC to find the exact revision causing the problem.
Comment 5 Alexey Proskuryakov 2010-03-13 16:36:25 PST
*** Bug 36090 has been marked as a duplicate of this bug. ***
Comment 6 Alexey Proskuryakov 2010-03-15 20:34:41 PDT
*** Bug 36126 has been marked as a duplicate of this bug. ***
Comment 7 Gavin Barraclough 2010-03-16 15:55:30 PDT
Created attachment 50848 [details]
The patch

The problem is a bug in our port of PCRE - that a read may take place from the first character in an empty string.  For the time being, revert to using a valid pointer in the data segment rather than an invalid non-null pointer into the zero-page for the empty string's data pointer.  A better fix for this will be to remove PCRE.
Comment 8 Oliver Hunt 2010-03-16 15:57:20 PDT
Comment on attachment 50848 [details]
The patch

r=me
Comment 9 Darin Adler 2010-03-16 15:57:31 PDT
Comment on attachment 50848 [details]
The patch

> +// FIXME: This works around a bug in our port of pcre, that a regular expression run on the empty string
> +//        may still perform a read from the first element, and as such we need this to be a valid pointer.
> +//        No code should ever be reading from a zero length string, so this should be able to be a non-null
> +//        pointer into the zero-page.  Replace this with 'reinterpret_cast<UChar*>(static_cast<intptr_t>(1))'
> +//        once PCRE goes away.

We don't format our comments this way. The subsequent lines go under FIXME, not indented.

Also, once space after a period.

Also, call it PCRE the first time, not pcre.

> +static UChar emptyUCharData = 0;

This can go inside the function instead out outside at file level.
Comment 10 Gavin Barraclough 2010-03-16 16:15:49 PDT
Fixed in r56092.